International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Apidays New York 2024 - The value of a flexible API Management solution for O...
Kx3518741881
1. Humaira Dar et al Int. Journal of Engineering Research and Application
ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881
RESEARCH ARTICLE
www.ijera.com
OPEN ACCESS
Secure Scheme For User Authentication And Authorization In
Android Environment
Humaira Dar1, Wajdi Fawzi Mohammed Al-Khateeb2 And Mohamed Hadi
Habaebi3
1(
Department of Computer and Information Engineering, Kulliyyah of Electrical and Electronic Engineering,
International Islamic University Malaysia)
2(
Department of Computer and Information Engineering, Kulliyyah of Electrical and Electronic Engineering,
International Islamic University Malaysia)
3(
Department of Computer and Information Engineering, Kulliyyah of Electrical and Electronic Engineering,
International Islamic University Malaysia)
Abstract
Providing ultimate security in sensitive transaction and communication of online premium application is still a
question mark of standardization in the area of networking and security. It has been seen that currently majority
of the authentication and authorization techniques are usually designed on the top of One Time Password on
user trusted hand held device. However, due to various lethal threats on mobile security systems, it can be said
that existing security is not sufficient. Keeping in viewpoint of security on effective authentication and
authorization, this paper proposes a technique that exponentially minimizes the operational cost by using secure
hash algorithms that has the potential to generate mobile-based One Time Passwords (OTPs) scheme on
Android environment ensuring enhanced protection with respect to password security. Experimented on java
platform, the implementation techniques discussed in the paper are found to be very robust
Keywords-component-Authentication and Authorization, Hash Function, MD5,One Time Password, SHA-3
I.
INTRODUCTION
The concern of user authentication as well as
authorization in public network was always a matter
of concern in the area of computer networking as well
as security system. Authentication is the method of
verifying the user while authorization is the methods
of verifying that user have an access to resources. The
public network is basically characterized with
presence of multiple users in multiple locations with
undefined score of vulnerable motives of internet
usage. Such vulnerability poses a potential amount of
threats in using various sensitive premium based
application e.g. banking transactions and data storage
in cloud. It was also seen that password based
protocols is much in use by almost all the secure
application because it is much easier, comfortable,
and due to its higher adoption by majority of the
users. However, the frequent usage of password based
authentication system in public network is not much
recommended by security experts. Even, in current era
of security modernization, password based
authentication system are much frequently in use for
the purpose of user authentication. As password are
formulated using various sensitive and confidential
information, therefore unauthorized access of user
sensitive password in large scale networking system is
highly studied in the past research work [1][2][3][4].
One of the significant issue with traditional password
based security system is that user have higher
www.ijera.com
propensity to select intrinsically unsafe passwords
which can be easily memorized by the user. This
phenomenon directly leads to surfacing of dictionary
attacks [5], where the adversary over network attempt
various permutation and combination of strings
leading them finally to arrive at the correct password
by the genuine user. With the current availability of
various password hacking tools [6][7][8] as well as
keylogger softwares [9], the task of password retrieval
has become much easier for the attacker. Not only in
public network even in private network is not secured
in existing system. Various events has been reported
in the past, where it can be found that various reputed
enterprises like eBay, ICICI bank, World Bank,
Walmart etc has been literally hacked costing massive
loss of property and highly confidential data
[10][11][12]. This paper intends to exhibit a secure
framework and architecture that addresses such issues
of user authentication. Architecture is a notion about
the process to structure an application that is possibly
shared through natural language documentation and
highly structured methods. However, framework is
basically an execution of architecture that the designer
deploys it as a basis of building skeleton of the desired
application.
The paper will illustrate briefly the adoption
of a cost effective technique that can be applied to any
premium based application ensuring privacy,
confidentially,
non-repudiation
and
hence
safeguarding the interest of enterprises as well as
1874 | P a g e
2. Humaira Dar et al Int. Journal of Engineering Research and Application
ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881
clients in secure user authentication and authorization.
Prior research work is discussed in Section 2 followed
by Problem Identification in Section 3. Section 4
discusses about the proposed system. Research
methodology is discussed in Section 5 followed by
implementation in Section 6 and finally in section 7
we make some concluding remarks.
II.
RELATED WORK
The various problems pertaining to security
and authentication of accessing private and highly
privileged information have been studied by many
researchers as discussed below. Research work
conducted below highlights various techniques
adopted in past to mitigate various types of attacks on
authentication system of user & solves problem of
security issues. In the process of exploring various
techniques adopted in past and even existing system,
it was found that usage of One-Time Password or
commonly known as OTP seems to guarantee better
security in access management in public as well as
private network [13]. One-Time Password is valid for
only one attempt of access while trying to make a unit
of transactions. One of the obvious advantages of
using OTP is its fail-proof security towards replay
attack [12] which means that unique password once
generated will never be repeated for second time and
hence if the password is in possession of attacker, it
will be of no use. Thereby usage of OTP has been
investigated to explore a better possibility of make
further more secure system in user authentication.
Various OTP technologies are also seen patented
however standardization of the OTP technique is
challenging step due to its diverse format of usage and
architecture proposed by many previous researchers
and protocol makers
Tao et al [14] have demonstrated a new
authentication scheme based on OTP is presented.
The scheme generates random numbers quickly by
physical methods and applies them in aspects of the
whole authentication process. It can guarantee the
dynamic and secure property of passwords. Therefore,
it can defense many attacks of human sources and is
fit for the use of fields which need high security
guarantee like finance systems and stock exchange
systems.
Kim et al. [15] have proposed a secure and
fast one-pass authentication procedure bundling
NACF and IMS authentications under enhanced
security. Proposed scheme considerably reduces the
complexity of authentication procedure compared to
existing approaches. This paper mainly focuses on
method authenticating federation Single Sign-on
(SSO) about application service and IMS service
based on network id in the Next Generation Networks
(NGN) environment. Federation SSO is the one
method of Single Sign-on which user can select the
subscription of federation operator in real-time. For
comprising this system, they need Service Control
Function (SCF), Network Access Control Function
www.ijera.com
www.ijera.com
(NACF), Web Application Service Control Function
(WASCF) and NGN Terminal Function (NTF).
Eldefrawy et al. [16] have presents a novel
two-factor authentication scheme whereby a user’s
device produces multiples OTPs from an initial seed
using the proposed production scheme. The initial
seed is produced by the communications partners’
unique parameters. Applying the many from one
function to a certain seed removes the requirement of
sending SMS-based OTPs to users, and reduces the
restrictions caused by the SMS system.
Srivastava et al.[17] have presented an
improved authentication scheme over the existing port
knocking methods. The existing port knocking
methods are prone to reasonable attacks and
vulnerabilities.
The
paper
addresses
those
vulnerabilities, and accordingly provides mechanism
to circumvent on the port knocking mechanism. In a
client-server communication, request for services
from the clients is done by providing them connection
to a specific port on the server. For security concerns,
all the ports on the server are initially closed and no
connection is possible.
Hsieh et al.[18] have propose a novel
authentication scheme which exploits volatile
passwords – One-Time Passwords (OTPs) based on
the time and location information of the mobile device
to transparently and securely authenticate users while
accessing Internet services, such as online banking
services and e-commerce transactions. Compared to a
permanent password base scheme, an OTP based one
can prevent users from being eavesdropped. In
addition to a memory less feature, the scheme restricts
the validness of the OTP password not only in a
certain time period but also in a tolerant geometric
region to increase the security protection.
Ren et al. [19] have demonstrated a secure
dynamic user authentication scheme. Unlike the
traditional password authentication (where a static
password is used) or two-factor authentication (where
two pieces of authentication information are required),
their proposed authentication scheme will use a
dynamic one-time password (OTP), based on user’s
password, the authenticating time, as well as a unique
property that the user possesses at the moment of
authentication (that is, “something the user has”, for
example, the MAC address of the machine that the
user uses for authentication).
Moon et al. [20] have presented three
solutions for fuzzy fingerprint vault that are more
useful, secure and effective method. First, they
propose geometric hash table as automatic fingerprint
alignment. Second, they propose secure fuzzy
fingerprint vault, which can be resistant to the
correlation attack. Third is fuzzy fingerprint vault
using One Time Template (OTT). The OTT is
generates a different biometrics template each time,
which like onetime password.
Shin et al. [21] have proposed an efficient
and lightweight multi-user authentication scheme
1875 | P a g e
3. Humaira Dar et al Int. Journal of Engineering Research and Application
ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881
based on cellular automata (CA) in cloud computing
environments. In the proposed scheme, an
authentication process is securely performed by a CAbased One-time Password (OTP) authentication which
is a randomized evolution. The experiments prove the
security of the proposed scheme.
Indu et al. [22] have proposed system
involves using a mobile phone as a software token for
One Time Password generation. OTP algorithm
powered with user’s unique identifications like
International Mobile Equipment Identification and
Subscriber Identification Module; makes a finite
alphanumeric token valid for a session and for a single
use.
Fan et al. [23] propose an active onetime
password (AOTP) mechanism for user authentication
to overcome two abovementioned problems, password
stealing and reuse, utilizing cell phone and short
message service. Through AOTP, there is no need for
additional tokens, card readers and drivers, or
unfamiliar security procedures and user can choose
any desirous password to register on all websites
The above discussion shows various prior
research studies that have attempted to propose
technique using OTP for ensuring security over
various online transactions. It can be noted that
Eldefrawy [16] has proposed a work titled “OTPBased Two-Factor Authentication Using Mobile
Phones” which was found to exhibit two factor
authentication schemes. The results show that the time
required for computation was less and was
independent of use of public key techniques that
posses a motivation to consider the work of Eldefrawy
[22] to design a framework for ensuring better
computational model. Furthermore, the authentication
password is generated in 128 bit of data that is neither
user-friendly nor storage efficient that posses further
authentication issues with its bigger size. So, we
chose to perform further enhancement from this point.
III.
PROBLEM IDENTIFICATION
The problem statement of the proposed
study is as follows: Although the usage of OTP
ensures security in user authentication but the
phenomenon generation of OTP from GSM based
server in current mobile based authentication system
can be compromised and will require serious cost
effective protocol for user authentication.
OTP is classified into two types e.g. i) time
based OTP and ii) event based OTP. In time based
OTP, the OTO alters at every frequent instance of
time whereas in an event based OTP, the OTP is
generated on hardware device of the user. A
significant investigation related to the use of an eventbased OTP is that the OTP score doesn't mechanically
expire in a given quantity of verification time. This
suggests that if a OTP is somehow maliciously
obtained by an attacker, there is a higher chances that
it can be used later to interrupt into the user’s account.
It is to be noted that the compromised OTP score is
www.ijera.com
www.ijera.com
merely valid till the legitimate user next carries out an
authentication procedure. This can be as a result of the
actual fact that when the legitimate user authenticates,
the present sequence variety is updated to the one on
the device, creating all previous sequence numbers
(and their associated OTP values) invalid.
Additionally to the on top of, unobserved physical
access to the OTP device is needed for completing
this attack. If an attacker will acquire physical access
to the device, then it will be able to really extract
multiple OTP values by pressing the button variety of
times. However, there's not abundant distinction
between this and getting one OTP and remaining
logged on.
We visualize all the above discusses security
compromization as unrivaled. On the one hand, in
event-based OTP, there's no got to use the password
instantly, as within the case for time-based OTP.
However, in event-based OTP unseen physical access
to the device is needed, whereas in time-based OTP it
are often abundant easier to get a sound OTP. In either
case, the threat highlighted by these attacks isn't as
vital because it could seem. This can be as a result of
the actual fact that OTP systems usually have faith in
two-factor authentication and then the user contains a
short 4-digit PIN (or longer password) that's
conjointly required. Thus, getting the OTP isn't
enough. It is to be noted that the large scope for an
attacker is restricted in each cases. Additionally, OTP
systems usually lock the user once variety of
unsuccessful logon tries.
IV.
PROPOSED SYSTEM
Authentication and authorization plays a key
role in ensuring security system over any
communication network especially over GSM
network. The review of the literature explores that
existing security system over GSM is not enough for
ensuring efficient security in terms of authentication
as well as authorization. The current study is inspired
from the work of Eldefrawy [1] titled “OTP-Based
Two-Factor Authentication Using Mobile Phones”
where the author has discussed about utilization of
two factor authentication using OTP. However, after
in-depth scrutinizing the work of Eldefrawy, it was
found that generated OTP was a large enough
(68606061177919188523363813602016333158)
which are neither user-friendly nor storage efficient.
The major security loopholes found in the usage of
OTP is that it generates the secure password that
floats into GSM network where there is a higher
degree of intrusion. Another prominent issue found in
majority of the OTP usage (as used by Eldefrawy) is
that it is not preferred for mobile phones due to timesynchronization that are usually based on an internal
clock synchronization system. Moreover, the author
has deployed the hash function using SHA-1 and
MD5 where there already exists the attack report on
usage of SHA-1 in vulnerable public network. Hence,
we choose to perform first enhancement to the work
1876 | P a g e
4. Humaira Dar et al Int. Journal of Engineering Research and Application
ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881
conducted by Eldefrawy by adopting the usage of
SHA-3. One of the prime reasons behind this is SHA3 uses different patterns of design architecture
compared to SHA-1 for which reason, common
attacks applicable over SHA-1 will never work on
SHA-3. Eldefrawy has used single hash function for
first time OTP generation, whereas we choose to
integrate two different hash functions at the every
time in OTP generation. Adopting this second
technique of enhancement will yield an OTP that is
potentially strong compared to Eldefrawy’s approach.
The third enhancement is towards the length of the
OTP generated. The length of OTP in Eldefrawy’s
approach is 128 bit where entering 128 bit of data
even in numeric format is highly complex and errorprone. We choose to amend this third technique of
enhancement by using byte-to-word conversion by
using alternative dictionary encoding for the OTP
generated that make the OTP long enough for security
and short enough for the user. The proposed study
attempts to minimize the operational cost by
generation the authentication & authorization
components on user trusted handheld device. Because
of generation of authentication and authorization
component, the system is rendered further more
secure because it is not accessible to other networks.
The proposed system is designed on windows as well
as on Android mobile environment using Java as
programming tool.
The proposed study is designed to be
accomplished in two stages e.g. OTP Generation stage
and authentication stage. In the OTP Generation
stage, all the user private details along with hardware
profiles of the user (e.g. IMEI, IMSI, and timestamp)
will be used for generation of OTP from server.
However, this method is same as existing system, the
turning point of the proposed system is when user
sends the challenge to the server, and the server before
starting using the user-generated password will
require coordinates that were never a part of any
experiment in the past. Coordinates is set of two
numbers, where the first number represents iterations
of SHA3 hash function and second number represents
iteration of MD5 hash function. This coordinates will
be generated by server by using two independent
random functions, but however, in order to mitigate
any types of attacks, the server is designed to have
another substituted password system that cannot be
either accessed by user or by any other user over
network. This password will be basically used as
triple layer of security of authenticating the challenges
generated by the server to verify the originality of
client. The number of iteration for SHA3 and MD5 is
a coordinate that is generated by two independent
random functions. The prime objectives of the
research undertaken are:
To design a unique OTP generator scheme.
To enhance the OTP generator scheme by using
latest and highly secure hash function SHA-3 as
well as MD5.
www.ijera.com
www.ijera.com
To design a module to generate 2 random
coordinates (x, y) by using two independent
random function.
To generate mobile-based One Time Passwords
(OTPs) scheme on Android environment that
ensures enhanced protection with respect to
password security.
To ensure the user identification by considering
the hardware profiles of user mobile handset
(IMEI, IMSI, and Timestamp of the user handset)
To induce byte-to-word conversion of generated
128 bit of the OTP.
V.
RESEARCH METHODOLOGY
The research methodology of the current
study is as discussed below.
Stage-1: To design User Profile: In this stage, the
initial OTP will be designed to generate in both server
sides as well as in user side. A user interface will be
designed where user will register himself with the
server. The tools used for this purpose will be JDK,
JSP, Apache Tomcat as softwares and hardware will
consist of standards 32 bit Windows OS with
Windows XP and minimum 1 GB Ram and 1.84 GHz
processor speed.
Stage-2: Designing Hardware Profile: For the OTP
generation, the hardware profile consist two hash
functions (SHA-3 and MD5), IMEI (International
Mobile Equipment Identity), IMSI (International
Mobile Subscription Identity) and timestamp. The
coordinates is represented as (x, y). SHA3 and MD5
are used as standard algorithm. However, the
proposed system doesn’t use any conventional
encryption or decryption technique. The proposed
system considers the digital signature of the data
(seed) and digital signature will be authenticated or
matched on server side as well as on client side. It
should be noted that digital signature does not carry
any information about the data however it is just an
identification of the data but the cipher text of the data
contains the original data in interchanged format. This
will mean that intrusion on digital signature does not
yield data however; there is a fair feasibility of data
retrieval from cipher text. Hence, we chose not to
perform encryption and decryption technique. It
generates the values of x and y (co-ordinates) by using
two independent random functions where ‘x’ is
number of iterations for SHA-3 and ‘y’ - number of
iterations for MD5. And it results in 128-bit keys of
MD5 but it will require to manually feed the OTP.
However, OTP systems are designed in such a way
that it gives privilege to enter manually and not
automated. It is computationally complex process for
feeding the 128 bit data as it gives rise to error prone
processes. Hence, it is to be converted into byte-toword format by using alternative dictionary encoding.
For that, the 128-bit collapses it to 64-bit result, which
is further decomposed to pairs of bits that are summed
1877 | P a g e
5. Humaira Dar et al Int. Journal of Engineering Research and Application
ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881
together. The 2 least significant bits of this sum are
encoded in the last 2 bits of the 6 word sequence with
the least significant bit of the sum as the end bit
encoded. All the complaint servers should be in
agreement with the 6 word input that deploys the
standard dictionary.
Input
Parameters
User Registration
1
IMEI Number
Hardware
profile
2
Server
IMSI Number
5/10
of authentication. Majority of the work conducted in
literature survey considering OTP has focused on user
authentication only, however, in order to ensure better
security, the contribution of the proposed work is
introduce a novelty by utilizing the concept that
neither user nor server can be blindly trusted to each
other. Therefore, we introduce the novel in
methodology by considering an initial step where user
will be given a chance to verify the authenticity of
their server and if scored success in this
authentication, then server will be given chance to
authenticate user. Authorization steps follow only
after successful authentication from both parties.
challenge
Timestamp
Byte-to-Word
Conversion
9
Generate Dig. Signature
4
8
Mobile Android
Interface
www.ijera.com
6
3
SHA3 (x-iteration)
User Generated
Challenge
Server Generated
Challenge (Seq.No)
MD5(y-Iteration)
7
Resource Access
Management
11
12
Transmit Secure Status
VI.
IMPLEMENTATION
The proposed study is implemented in
following environment:
Operating System: Windows XP (on x86-32 and
x86-64), Android OS.
IDE : Eclipse 3.5
Software Package : JDK 1.6, 1.7 ,
Software Technologies : JSP, Android
Browser : Firefox 15.0.1, Google Chrome,
Internet Explorer 7 and above
Programming Language : Core-Java/J2EE
Web Server: Apache Tomcat 5.5
Processor : 2GHz CPU
Memory : 1 GB RAM
Figure 1: Schematic Diagram of the Study
Stage-3: Designing Hybrid OTP: The authorization
enclosed by a 64-bit key could be enclosed by six
words from the standard dictionary with space present
over for parity and that six words will be long enough
for security and short enough for user-friendly.
Authentication will draw closer on action as a security
purpose for the initial (static) password.
1. User will login with initial (static) password.
2. Initial password is generated during registration
phase.
3. The initial (static) password will be authenticated.
4. Then the server will request for OTP.
5. The user will generate OTP by using their
Android Phone and reply back to the server.
6. It is the biggest challenge for the server that they
should generate same OTP for authentication.
The server will check the generated OTP by
using x and y coordinates entered by user as
mentioned in the above step. Once the server is
authenticated, the server will generate the OTP by
using user-seed and new random generated
coordinate. The server will send the challenge to
the user by sending coordinate only.
7. Based on the above challenge, the user must be
able to generate a password, and the generated
OTP will be checked on the server side. If both
the passwords match, then it is said to be
authenticated and can access the application.
It can be seen from the above research
methodology, that we are introducing a novel concept
www.ijera.com
OTP
User Registration
OTP Authentication
User ID
OTP Genarator
Seed
Challen
ge
Access Privileges
Challenge
First Hash Function
OTP
160 bit data
Second Hash Function
Digital Signature
Hex Conversion
Figure 2: Structure Chart of Proposed Implementation
The primary model in the implementation
phase is the user registration module as shown in
Fig.3. The main purpose of this module is to design a
web based application for enrolling or registering the
user profiles for the proposed authentication system.
After generating the user interface on the Android
platform, it designs considers the hardware profile
parameters (IMEI, IMSI, Time-stamp) that leads to
the formation of the seed. The seeds acts as input data
for the process that transmits it over TCP/IP. The
1878 | P a g e
6. Humaira Dar et al Int. Journal of Engineering Research and Application
ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881
input to this implementation module will be user
details along with hardware details of mobile device
while the output will be using the seed for user
registration completion.
Start
Input Seed to
Client App
Generate user interface
on android
Create instance of
Telephony Manager
Get Device Id, get
subscriber Id, Built
Time
Display
Send Seed to Server
Over TCP/IP
www.ijera.com
authentication, the server asks the user for the OTP’s
current status. If the user has generated numerous
OTPs without using them, he might have reached an
OTP status. The user will submit his current status to
the server to allow the server to calculate the current
seed. After that the server sends a random challenge
value of new indexes which means the user has to
calculate his session OTP. The generated 160 bit hash
using SHA-3 is converted to Hex format. The input to
this module will be current status of the user
generated on Mobile device while the output will be
new human readable OTP.
Seed Storage
Formation of Seed
Start
Figure 3: Flowchart of User Registration
The secondary module considered for the
implementation is the secure hash function as shown
in Fig.4. The main purpose of the hash function
implementation is for securing the communication.
The design uses hash-based OTPs for cryptographic
hashing algorithms to compute the password. A
cryptographic hash is a one-way function that maps an
arbitrary length message to a fixed-length digest.
Thus, a hash-based OTP starts with the inputs
(synchronization parameter, secret key, PIN), runs
them through the one-way function, and produces the
fixed-length password. The system also uses two hash
functions. The input to this module will be instances
of hash while the output will be encrypted data.
Start
Message Digest
md=MessageDigest.getI
nstance(algorithm)
Get user data
md.update(data)
Byte[] Hash=md.digest()
Start
Figure 4: Flowchart of Hash Function
Implementation
The 3rd implementation phase was to
generate a new OTP as shown in Fig.5. The purpose
of this module is to generate the human readable OTP
on the mobile device that will be used for
authentication purpose. After logging into the service
provider’s website using a different and static
username and password, the first factor of
www.ijera.com
Figure 5: Flowchart of New OTP Generation at
Client
The fourth module of the development of the
proposed system will be to come up with ultimate
OTP Generation as shown in Fig.6. The purpose of
this module is to generate the ultimate OTP on the
mobile device that will be used for final
authentication purpose. After the challenge is
generated from the server, it is read and split to
generate the final hash output using the SHA-3. Also,
the final feed of the output of the SHA-3 is given to
the MD5, which finally generates the final OTP. The
input to this module will be server generated
challenge while output will be final generated OTP.
The final module of the proposed study will
be to design a OTP authentication at a server as
shown in Fig.7. The purpose of this module is to
perform final authentication of the human readable
OTP when it is fed to the server. The user gets the two
1879 | P a g e
7. Humaira Dar et al Int. Journal of Engineering Research and Application
ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881
different hash functions along with seed. To ensure
that the information is completely shared with the
service provider, the seed is produced by the shared
and unique parameters of the host and user.
www.ijera.com
The browsing performance received special
attention. Figure 8 visualizes the average access time
on OTP lists of typical sizes. As can be seen, the
access time shows linear growth (with an outlier on
lists of size 400, but with a control sample of only 10
values this can be expected). Also, the average access
time is below 1 second for lists of sizes from 100 to
500 OTPs, which is acceptable.
Figure 8: Average access time for OTP password
lists of differing sizes
Figure 6: Flowchart of Final OTP Generation at
Client
The server randomly challenges the user with
new indexes. The user enters those indexes, in his
OTP generator to get the corresponding OTP. The
user responds with this corresponding OTP. The
server compares the received OTP with the calculated
one. According to the server check, done in the
previous step, the server will transfer an authorization
execution or a communication termination. The input
of the module will be an user details along with
hardware details of mobile device while the output
will be a final authentication of OTP at Server.
Start
Read userid
and password
Send server challenge to
user
Send authentication
privileges to server
No
If successfully
authenticated
Generate final OTP using
challenge at client & server
Yes
Login page
at client
No
If
OTP(C)=OTP(S)
Generate new OTP on
android
Yes
Grant access
priviliges
Send current status &
generate OTP to server
If successfully
authenticated
Yes
Stop
No
Figure 7: Flowchart of OTP Authentication at Server
www.ijera.com
VII.
CONCLUSION
The current study proposes the description
plan of a novel approach that aims at
securing/authenticating the user that may use online
applications like banking system and many other
systems. The study shows that there is the need for to
design and develop conventional one-time password
using mobile android interface which should support
the performance with continued existence. The prior
literature has discussed various schemes using OTP
which was found with results that are not so efficient
over mobile communication network. This proposal
presents a novel password authentication scheme
where the user devices generate OTPs from an initial
germ using the proposed scheme. The initial seed is
generated in both servers side as well as in user side.
For this generation, two hash functions i.e. SHA-3,
MD5 are used, and IMEI (International Mobile
Equipment Identity), IMSI (International Mobile
Subscription Identity) and timestamp are also
required. It also generates the values of x and y, xnumber of iterations for SHA-3 and y-number of
iterations for MD5. And that MD5 results in 128-bit
data and later it collapses to 64-bit result. According
to RFC-1751, they started with a dictionary of 2048
English words, ranging in measurement lengthwise
from one to four characters. The liberty enclosed by a
64-bit key could be enclosed by six words from the
dictionary with space present over for parity and that
six words will be in user readable format. The
proposed research work can be visualized with
following point of scope that may arrive to
commercial usage in future:
The framework design will be highly resilient to
dictionary attack, spoofing attack, internet
spamming and any sorts of unauthorized accessed
1880 | P a g e
8. Humaira Dar et al Int. Journal of Engineering Research and Application
ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881
due to its multiple layer of security that is highly
impossible to imitate or accessed by attacker.
The proposed framework is developed and
experimented on Android based mobile
environment which is increasingly growing
accepted by users worldwide over smart-phones
and tablet PCs. Hence, technical adoptability of
the proposed framework is highly ensured.
As the proposed system do not use any sorts of
complex cryptography, so it ensures an optimal
verification as well as authentication time that
was reflected as major trade-off in previous
research work. Therefore, it highly guarantees
large scope of future enhancement by researcher
for much better security prospects in their
problems.
Hence, by recapping the above critical
points, it can be said that the proposed study can be
highly adopted in securing user authentication as well
as user authorization in the area of banking
transaction and any premium based applications that
calls of higher security
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
Zhao, Z., Dong, Z., Wang, Y. (2006). Security
analysis of a password-based authentication
protocol proposed to IEEE 1363, Elsevier.
Conklin, A., Dietrich, G., Walz, D. (2004).
Password-Based Authentication: A System
Perspective, Proceedings of the 37th Hawaii
International Conference on System Sciences.
Elftmann (2006) Secure Alternatives to
Password-based Authentication Mechanisms,
Doctorial Thesis
Marshall, B.K. (2007). Tips for Avoiding Bad
Authentication Challenge Questions, White
Paper
Narayanan, A., Shmatikov, V. (2005). Fast
Dictionary Attacks on Passwords Using TimeSpace Trade-off, ACM
http://www.insecure.in/hacktools_02.asp
http://hack-gmail-password.com/
http://searchsecurity.techtarget.com/magazine
Content/Top-5-Hacker-Tools-Google-hackerpassword-cracker-WLAN-detector
http://www.keyloggers.com/
http://www.bloggingstocks.com/2007/02/19/he
adline-reports-ebay-hacked/
http://www.grahakseva.com/complaints/13031
0/online-fraud-happened-hacking-my-icicibank-credit-card
http://www.foxnews.com/story/2008/10/13/wo
rld-bank-under-cyber-siege-in-unprecedentedcrisis/
Aravindhan, K., Karthiga, R.R. (2013). Onetime Password: A Survey, International
Journal of Emerging Trends in Engineering
and Development, Issue 3, Vol.1.
Fan Yu Tao; Su Gui Ping, "Design of TwoWay One-Time-Password Authentication
www.ijera.com
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
www.ijera.com
Scheme Based on True Random Numbers,"
Computer Science and Engineering, 2009.
WCSE '09. Second International Workshop on
, vol.1, no., pp.11,14, 28-30 Oct. 2009
Kwihoon Kim; Sengkyun Jo; Hyunwoo Lee;
Won Ryu, "Implementation for federated
Single Sign-on based on network identity,"
Networked Computing (INC), 2010 6th
International Conference on , vol., no., pp.1,3,
11-13 May 2010
Eldefrawy, M.H.; Alghathbar, K.; Khan, M.K.,
"OTP-Based Two-Factor Authentication Using
Mobile Phones," Information Technology:
New Generations (ITNG), 2011 Eighth
International Conference on , vol., no.,
pp.327,331, 11-13 April 2011
Srivastava, V.; Keshri, A.K.; Roy, A.D.;
Chaurasiya, V.K.; Gupta, R., "Advanced port
knocking authentication scheme with QRC
using AES," Emerging Trends in Networks
and Computer Communications (ETNCC),
2011 International Conference on , vol., no.,
pp.159,163, 22-24 April 2011
Wen-Bin Hsieh; Jenq-Shiou Leu, "Design of a
time and location based One-Time Password
authentication
scheme,"
Wireless
Communications and Mobile Computing
Conference (IWCMC), 2011 7th International
, vol., no., pp.201,206, 4-8 July 2011
Xuguang Ren; Xin-Wen Wu, "A novel
dynamic
user authentication
scheme,"
Communications
and
Information
Technologies (ISCIT), 2012 International
Symposium on , vol., no., pp.713,717, 2-5 Oct.
2012
Ki Young Moon; Daesung Moon; Jang-Hee
Yoo; Hyun-Suk Cho, "Biometrics Information
Protection Using Fuzzy Vault Scheme," Signal
Image Technology and Internet Based Systems
(SITIS), 2012 Eighth International Conference
on , vol., no., pp.124,128, 25-29 Nov. 2012
Sang-Ho Shin; Dong-Hyun Kim; Yoo, KeeYoung,
"A
lightweight
multi-user
authentication scheme based on cellular
automata in cloud environment," Cloud
Networking (CLOUDNET), 2012 IEEE 1st
International Conference on , vol., no.,
pp.176,178, 28-30 Nov. 2012
Indu, S.; Sathya, T.N.; Saravana Kumar, V.,
"A stand-alone and SMS-based approach for
authentication
using
mobile
phone,"
Information Communication and Embedded
Systems (ICICES), 2013 International
Conference on , vol., no., pp.140,145, 21-22
Feb. 2013
Chun-I Fan, Chien-Nan Wu, Chi-Yao Weng,
Chung-Yu Lin.,” Active One-Time Password
Mechanism for User Authentication”, Lecture
Notes in Computer Science Volume 7861, pp
464-471, 2013
1881 | P a g e